Merge branch 'master' into kinesis-analytics-l2

.github/workflows/yarn-upgrade.yml

@@ -16,7 +16,7 @@ jobs:
         uses: actions/checkout@v2
 
       - name: Set up Node
-        uses: actions/[email protected].0
+        uses: actions/[email protected].4
         with:
           node-version: 10
 
@@ -55,12 +55,15 @@ jobs:
           lerna exec --parallel ncu -- --upgrade --filter=@types/node,@types/fs-extra --target=minor
           lerna exec --parallel ncu -- --upgrade --filter=typescript --target=patch
           lerna exec --parallel ncu -- --upgrade --reject='@types/node,@types/fs-extra,constructs,typescript,aws-sdk,${{ steps.list-packages.outputs.list }}'  --target=minor
-      # This will create a brand new `yarn.lock` file (this is more efficient than `yarn install && yarn upgrade`)
-      - name: Run "yarn install --force"
-        run: yarn install --force
+      # This will ensure the current lockfile is up-to-date with the dependency specifications (necessary for "yarn update" to run)
+      - name: Run "yarn install"
+        run: yarn install
+
+      - name: Run "yarn upgrade"
+        run: yarn upgrade
 
       - name: Make Pull Request
-        uses: peter-evans/create-pull-request@v2
+        uses: peter-evans/create-pull-request@v3
         with:
           # Git commit details
           branch: automation/yarn-upgrade

CHANGELOG.md

@@ -2,6 +2,50 @@
 
 All notable changes to this project will be documented in this file. See [standard-version](https://github.com/conventional-changelog/standard-version) for commit guidelines.
 
+## [1.88.0](https://github.com/aws/aws-cdk/compare/v1.87.1...v1.88.0) (2021-02-03)
+
+
+### ⚠ BREAKING CHANGES TO EXPERIMENTAL FEATURES
+
+* **appmesh:** the properties virtualRouter and virtualNode of VirtualServiceProps have been replaced with the union-like class VirtualServiceProvider 
+* **appmesh**: the method `addVirtualService` has been removed from `IMesh`
+* **cloudfront:** experimental EdgeFunction stack names have changed from 'edge-lambda-stack-${region}' to 'edge-lambda-stack-${stackid}' to support multiple independent CloudFront distributions with EdgeFunctions.
+
+### Features
+
+* **apigateway:** cognito user pool authorizer ([#12786](https://github.com/aws/aws-cdk/issues/12786)) ([ff1e5b3](https://github.com/aws/aws-cdk/commit/ff1e5b3c580119c107fe26c67fe3cc220f9ee7c9)), closes [#5618](https://github.com/aws/aws-cdk/issues/5618)
+* **apigateway:** import an existing Resource ([#12785](https://github.com/aws/aws-cdk/issues/12785)) ([8a1a9b8](https://github.com/aws/aws-cdk/commit/8a1a9b82a36e681334fd45be595f6ecdf904ad34)), closes [#4432](https://github.com/aws/aws-cdk/issues/4432)
+* **appmesh:** change VirtualService provider to a union-like class ([#11978](https://github.com/aws/aws-cdk/issues/11978)) ([dfc765a](https://github.com/aws/aws-cdk/commit/dfc765af44c755f10be8f6c1c2eae55f62e2aa08)), closes [#9490](https://github.com/aws/aws-cdk/issues/9490)
+* **aws-route53:** cross account DNS delegations ([#12680](https://github.com/aws/aws-cdk/issues/12680)) ([126a693](https://github.com/aws/aws-cdk/commit/126a6935cacc1f68b1d1155e484912d4ed6978f2)), closes [#8776](https://github.com/aws/aws-cdk/issues/8776)
+* **cloudfront:** add PublicKey and KeyGroup L2 constructs  ([#12743](https://github.com/aws/aws-cdk/issues/12743)) ([59cb6d0](https://github.com/aws/aws-cdk/commit/59cb6d032a55515ec5e9903f899de588d18d4cb5))
+* **core:** `stack.exportValue()` can be used to solve "deadly embrace" ([#12778](https://github.com/aws/aws-cdk/issues/12778)) ([3b66088](https://github.com/aws/aws-cdk/commit/3b66088010b6f2315a215e92505d5279680f16d4)), closes [#7602](https://github.com/aws/aws-cdk/issues/7602) [#2036](https://github.com/aws/aws-cdk/issues/2036)
+* **ecr:** Public Gallery authorization token ([#12775](https://github.com/aws/aws-cdk/issues/12775)) ([8434294](https://github.com/aws/aws-cdk/commit/84342943ad9f2ea8a83773f00816a0b8117c4d17))
+* **ecs-patterns:** Add PlatformVersion option to ScheduledFargateTask props ([#12676](https://github.com/aws/aws-cdk/issues/12676)) ([3cbf38b](https://github.com/aws/aws-cdk/commit/3cbf38b09a9e66a6c009f833481fb25b8c5fc26c)), closes [#12623](https://github.com/aws/aws-cdk/issues/12623)
+* **elbv2:** support for 2020 SSL policy ([#12710](https://github.com/aws/aws-cdk/issues/12710)) ([1dd3d05](https://github.com/aws/aws-cdk/commit/1dd3d0518dc2a70c725f87dd5d4377338389125c)), closes [#12595](https://github.com/aws/aws-cdk/issues/12595)
+* **iam:** Permissions Boundaries ([#12777](https://github.com/aws/aws-cdk/issues/12777)) ([415eb86](https://github.com/aws/aws-cdk/commit/415eb861c65829cc53eabbbb8706f83f08c74570)), closes [aws/aws-cdk-rfcs#5](https://github.com/aws/aws-cdk-rfcs/issues/5) [#3242](https://github.com/aws/aws-cdk/issues/3242)
+* **lambda:** inline code for Python 3.8 ([#12788](https://github.com/aws/aws-cdk/issues/12788)) ([8d3aaba](https://github.com/aws/aws-cdk/commit/8d3aabaffe436e6a3eebc0a58fe361c5b4b93f08)), closes [#6503](https://github.com/aws/aws-cdk/issues/6503)
+
+
+### Bug Fixes
+
+* **apigateway:** stack update fails to replace api key ([#12745](https://github.com/aws/aws-cdk/issues/12745)) ([ffe7e42](https://github.com/aws/aws-cdk/commit/ffe7e425e605144a465cea9befa68d4fe19f9d8c)), closes [#12698](https://github.com/aws/aws-cdk/issues/12698)
+* **cfn-include:** AWS::CloudFormation resources fail in monocdk ([#12758](https://github.com/aws/aws-cdk/issues/12758)) ([5060782](https://github.com/aws/aws-cdk/commit/5060782b00e17bdf44e225f8f5ef03344be238c7)), closes [#11595](https://github.com/aws/aws-cdk/issues/11595)
+* **cli, codepipeline:** renamed bootstrap stack still not supported ([#12771](https://github.com/aws/aws-cdk/issues/12771)) ([40b32bb](https://github.com/aws/aws-cdk/commit/40b32bbda272b6e2f92fd5dd8de7ca5bf405ce52)), closes [#12594](https://github.com/aws/aws-cdk/issues/12594) [#12732](https://github.com/aws/aws-cdk/issues/12732)
+* **cloudfront:** use node addr for edgeStackId name ([#12702](https://github.com/aws/aws-cdk/issues/12702)) ([c429bb7](https://github.com/aws/aws-cdk/commit/c429bb7df2406346426dce22d716cabc484ec7e6)), closes [#12323](https://github.com/aws/aws-cdk/issues/12323)
+* **codedeploy:** wrong syntax on Windows 'installAgent' flag ([#12736](https://github.com/aws/aws-cdk/issues/12736)) ([238742e](https://github.com/aws/aws-cdk/commit/238742e4323310ce850d8edc70abe4b0e9f53186)), closes [#12734](https://github.com/aws/aws-cdk/issues/12734)
+* **codepipeline:** permission denied for Action-level environment variables ([#12761](https://github.com/aws/aws-cdk/issues/12761)) ([99fd074](https://github.com/aws/aws-cdk/commit/99fd074a07ead624f64d3fe64685ba67c798976e)), closes [#12742](https://github.com/aws/aws-cdk/issues/12742)
+* **ec2:** ARM-backed bastion hosts try to run x86-based Amazon Linux AMI ([#12280](https://github.com/aws/aws-cdk/issues/12280)) ([1a73d76](https://github.com/aws/aws-cdk/commit/1a73d761ad2363842567a1b6e0488ceb093e70b2)), closes [#12279](https://github.com/aws/aws-cdk/issues/12279)
+* **efs:** EFS fails to create when using a VPC with multiple subnets per availability zone ([#12097](https://github.com/aws/aws-cdk/issues/12097)) ([889d673](https://github.com/aws/aws-cdk/commit/889d6734c10174f2661e45057c345cd112a44187)), closes [#10170](https://github.com/aws/aws-cdk/issues/10170)
+* **iam:** cannot use the same Role for multiple Config Rules ([#12724](https://github.com/aws/aws-cdk/issues/12724)) ([2f6521a](https://github.com/aws/aws-cdk/commit/2f6521a1d8670b2653f7dee281309351181cf918)), closes [#12714](https://github.com/aws/aws-cdk/issues/12714)
+* **lambda:** codeguru profiler not set up for Node runtime ([#12712](https://github.com/aws/aws-cdk/issues/12712)) ([59db763](https://github.com/aws/aws-cdk/commit/59db763e7d05d68fd85b6fd37246d69d4670d7d5)), closes [#12624](https://github.com/aws/aws-cdk/issues/12624)
+
+## [1.87.1](https://github.com/aws/aws-cdk/compare/v1.87.0...v1.87.1) (2021-01-28)
+
+
+### Bug Fixes
+
+* **apigateway:** stack update fails to replace api key ([38cbe62](https://github.com/aws/aws-cdk/commit/38cbe620859d6efabda95dbdd3185a480ab43894)), closes [#12698](https://github.com/aws/aws-cdk/issues/12698)
+
 ## [1.87.0](https://github.com/aws/aws-cdk/compare/v1.86.0...v1.87.0) (2021-01-27)
 
 

packages/@aws-cdk/assert/lib/assertions/have-resource.ts

@@ -59,14 +59,14 @@ export class HaveResourceAssertion extends JestFriendlyAssertion<StackInspector>
       properties === undefined ? anything() :
         allowValueExtension ? deepObjectLike(properties) :
           objectLike(properties);
-    this.part = part !== undefined ? part : ResourcePart.Properties;
+    this.part = part ?? ResourcePart.Properties;
   }
 
   public assertUsing(inspector: StackInspector): boolean {
     for (const logicalId of Object.keys(inspector.value.Resources || {})) {
       const resource = inspector.value.Resources[logicalId];
       if (resource.Type === this.resourceType) {
-        const propsToCheck = this.part === ResourcePart.Properties ? resource.Properties : resource;
+        const propsToCheck = this.part === ResourcePart.Properties ? (resource.Properties ?? {}) : resource;
 
         // Pass inspection object as 2nd argument, initialize failure with default string,
         // to maintain backwards compatibility with old predicate API.

packages/@aws-cdk/assets/lib/staging.ts

@@ -1,7 +1,11 @@
-import { AssetStaging, Construct } from '@aws-cdk/core';
+import { AssetStaging } from '@aws-cdk/core';
 import { toSymlinkFollow } from './compat';
 import { FingerprintOptions } from './fs/options';
 
+// keep this import separate from other imports to reduce chance for merge conflicts with v2-main
+// eslint-disable-next-line no-duplicate-imports, import/order
+import { Construct } from '@aws-cdk/core';
+
 /**
  * Deprecated
  * @deprecated use `core.AssetStagingProps`

packages/@aws-cdk/aws-amplify/lib/app.ts

@@ -218,9 +218,9 @@ export class App extends Resource implements IApp, iam.IGrantable {
         basicAuthConfig: props.autoBranchCreation.basicAuth && props.autoBranchCreation.basicAuth.bind(this, 'BranchBasicAuth'),
         buildSpec: props.autoBranchCreation.buildSpec && props.autoBranchCreation.buildSpec.toBuildSpec(),
         enableAutoBranchCreation: true,
-        enableAutoBuild: props.autoBranchCreation.autoBuild === undefined ? true : props.autoBranchCreation.autoBuild,
+        enableAutoBuild: props.autoBranchCreation.autoBuild ?? true,
         environmentVariables: Lazy.any({ produce: () => renderEnvironmentVariables(this.autoBranchEnvironmentVariables ) }, { omitEmptyArray: true }), // eslint-disable-line max-len
-        enablePullRequestPreview: props.autoBranchCreation.pullRequestPreview === undefined ? true : props.autoBranchCreation.pullRequestPreview,
+        enablePullRequestPreview: props.autoBranchCreation.pullRequestPreview ?? true,
         pullRequestEnvironmentName: props.autoBranchCreation.pullRequestEnvironmentName,
         stage: props.autoBranchCreation.stage,
       },

packages/@aws-cdk/aws-amplify/lib/branch.ts

@@ -139,8 +139,8 @@ export class Branch extends Resource implements IBranch {
       branchName,
       buildSpec: props.buildSpec && props.buildSpec.toBuildSpec(),
       description: props.description,
-      enableAutoBuild: props.autoBuild === undefined ? true : props.autoBuild,
-      enablePullRequestPreview: props.pullRequestPreview === undefined ? true : props.pullRequestPreview,
+      enableAutoBuild: props.autoBuild ?? true,
+      enablePullRequestPreview: props.pullRequestPreview ?? true,
       environmentVariables: Lazy.any({ produce: () => renderEnvironmentVariables(this.environmentVariables) }, { omitEmptyArray: true }),
       pullRequestEnvironmentName: props.pullRequestEnvironmentName,
       stage: props.stage,

packages/@aws-cdk/aws-amplify/lib/domain.ts

@@ -147,7 +147,7 @@ export class Domain extends Resource {
   private renderSubDomainSettings() {
     return this.subDomains.map(s => ({
       branchName: s.branch.branchName,
-      prefix: s.prefix === undefined ? s.branch.branchName : s.prefix,
+      prefix: s.prefix ?? s.branch.branchName,
     }));
   }
 }

packages/@aws-cdk/aws-apigateway/README.md

@@ -32,6 +32,7 @@ running on AWS Lambda, or any web application.
   - [IAM-based authorizer](#iam-based-authorizer)
   - [Lambda-based token authorizer](#lambda-based-token-authorizer)
   - [Lambda-based request authorizer](#lambda-based-request-authorizer)
+  - [Cognito User Pools authorizer](#cognito-user-pools-authorizer)
 - [Mutual TLS](#mutal-tls-mtls)
 - [Deployments](#deployments)
   - [Deep dive: Invalidation of deployments](#deep-dive-invalidation-of-deployments)
@@ -580,6 +581,25 @@ Authorizers can also be passed via the `defaultMethodOptions` property within th
 explicitly overridden, the specified defaults will be applied across all `Method`s across the `RestApi` or across all `Resource`s,
 depending on where the defaults were specified.
 
+### Cognito User Pools authorizer
+
+API Gateway also allows [Amazon Cognito user pools as authorizer](https://docs.aws.amazon.com/apigateway/latest/developerguide/apigateway-integrate-with-cognito.html)
+
+The following snippet configures a Cognito user pool as an authorizer:
+
+```ts
+const userPool = new cognito.UserPool(stack, 'UserPool');
+
+const auth = new apigateway.CognitoUserPoolsAuthorizer(this, 'booksAuthorizer', {
+  cognitoUserPools: [userPool]
+});
+
+books.addMethod('GET', new apigateway.HttpIntegration('http://amazon.com'), {
+  authorizer: auth,
+  authorizationType: apigateway.AuthorizationType.COGNITO,
+});
+```
+
 ## Mutual TLS (mTLS)
 
 Mutual TLS can be configured to limit access to your API based by using client certificates instead of (or as an extension of) using authorization headers.

packages/@aws-cdk/aws-apigateway/lib/authorizers/cognito.ts

@@ -0,0 +1,115 @@
+import * as cognito from '@aws-cdk/aws-cognito';
+import { Duration, Lazy, Names, Stack } from '@aws-cdk/core';
+import { Construct } from 'constructs';
+import { CfnAuthorizer } from '../apigateway.generated';
+import { Authorizer, IAuthorizer } from '../authorizer';
+import { AuthorizationType } from '../method';
+import { IRestApi } from '../restapi';
+
+/**
+ * Properties for CognitoUserPoolsAuthorizer
+ */
+export interface CognitoUserPoolsAuthorizerProps {
+  /**
+   * An optional human friendly name for the authorizer. Note that, this is not the primary identifier of the authorizer.
+   *
+   * @default - the unique construct ID
+   */
+  readonly authorizerName?: string;
+
+  /**
+   * The user pools to associate with this authorizer.
+   */
+  readonly cognitoUserPools: cognito.IUserPool[];
+
+  /**
+   * How long APIGateway should cache the results. Max 1 hour.
+   * Disable caching by setting this to 0.
+   *
+   * @default Duration.minutes(5)
+   */
+  readonly resultsCacheTtl?: Duration;
+
+  /**
+   * The request header mapping expression for the bearer token. This is typically passed as part of the header, in which case
+   * this should be `method.request.header.Authorizer` where Authorizer is the header containing the bearer token.
+   * @see https://docs.aws.amazon.com/apigateway/api-reference/link-relation/authorizer-create/#identitySource
+   * @default `IdentitySource.header('Authorization')`
+   */
+  readonly identitySource?: string;
+}
+
+/**
+ * Cognito user pools based custom authorizer
+ *
+ * @resource AWS::ApiGateway::Authorizer
+ */
+export class CognitoUserPoolsAuthorizer extends Authorizer implements IAuthorizer {
+  /**
+   * The id of the authorizer.
+   * @attribute
+   */
+  public readonly authorizerId: string;
+
+  /**
+   * The ARN of the authorizer to be used in permission policies, such as IAM and resource-based grants.
+   * @attribute
+   */
+  public readonly authorizerArn: string;
+
+  /**
+   * The authorization type of this authorizer.
+   */
+  public readonly authorizationType?: AuthorizationType;
+
+  private restApiId?: string;
+
+  constructor(scope: Construct, id: string, props: CognitoUserPoolsAuthorizerProps) {
+    super(scope, id);
+
+    const restApiId = this.lazyRestApiId();
+    const resource = new CfnAuthorizer(this, 'Resource', {
+      name: props.authorizerName ?? Names.uniqueId(this),
+      restApiId,
+      type: 'COGNITO_USER_POOLS',
+      providerArns: props.cognitoUserPools.map(userPool => userPool.userPoolArn),
+      authorizerResultTtlInSeconds: props.resultsCacheTtl?.toSeconds(),
+      identitySource: props.identitySource || 'method.request.header.Authorization',
+    });
+
+    this.authorizerId = resource.ref;
+    this.authorizerArn = Stack.of(this).formatArn({
+      service: 'execute-api',
+      resource: restApiId,
+      resourceName: `authorizers/${this.authorizerId}`,
+    });
+    this.authorizationType = AuthorizationType.COGNITO;
+  }
+
+  /**
+   * Attaches this authorizer to a specific REST API.
+   * @internal
+   */
+  public _attachToApi(restApi: IRestApi): void {
+    if (this.restApiId && this.restApiId !== restApi.restApiId) {
+      throw new Error('Cannot attach authorizer to two different rest APIs');
+    }
+
+    this.restApiId = restApi.restApiId;
+  }
+
+  /**
+   * Returns a token that resolves to the Rest Api Id at the time of synthesis.
+   * Throws an error, during token resolution, if no RestApi is attached to this authorizer.
+   */
+  private lazyRestApiId() {
+    return Lazy.string({
+      produce: () => {
+        if (!this.restApiId) {
+          throw new Error(`Authorizer (${this.node.path}) must be attached to a RestApi`);
+        }
+        return this.restApiId;
+      },
+    });
+  }
+}

packages/@aws-cdk/aws-apigateway/lib/authorizers/index.ts

@@ -1,2 +1,3 @@
 export * from './lambda';
 export * from './identity-source';
+export * from './cognito';

packages/@aws-cdk/aws-apigateway/lib/deployment.ts

@@ -1,10 +1,14 @@
 import * as crypto from 'crypto';
-import { Construct as CoreConstruct, Lazy, RemovalPolicy, Resource, CfnResource } from '@aws-cdk/core';
+import { Lazy, RemovalPolicy, Resource, CfnResource } from '@aws-cdk/core';
 import { Construct } from 'constructs';
 import { CfnDeployment } from './apigateway.generated';
 import { Method } from './method';
 import { IRestApi, RestApi, SpecRestApi, RestApiBase } from './restapi';
 
+// keep this import separate from other imports to reduce chance for merge conflicts with v2-main
+// eslint-disable-next-line no-duplicate-imports, import/order
+import { Construct as CoreConstruct } from '@aws-cdk/core';
+
 export interface DeploymentProps {
   /**
    * The Rest API to deploy.

packages/@aws-cdk/aws-apigateway/lib/integrations/http.ts

@@ -38,7 +38,7 @@ export interface HttpIntegrationProps {
  */
 export class HttpIntegration extends Integration {
   constructor(url: string, props: HttpIntegrationProps = { }) {
-    const proxy = props.proxy !== undefined ? props.proxy : true;
+    const proxy = props.proxy ?? true;
     const method = props.httpMethod || 'GET';
     super({
       type: proxy ? IntegrationType.HTTP_PROXY : IntegrationType.HTTP,

packages/@aws-cdk/aws-apigateway/lib/integrations/lambda.ts

@@ -41,7 +41,7 @@ export class LambdaIntegration extends AwsIntegration {
   private readonly enableTest: boolean;
 
   constructor(handler: lambda.IFunction, options: LambdaIntegrationOptions = { }) {
-    const proxy = options.proxy === undefined ? true : options.proxy;
+    const proxy = options.proxy ?? true;
 
     super({
       proxy,
@@ -51,7 +51,7 @@ export class LambdaIntegration extends AwsIntegration {
     });
 
     this.handler = handler;
-    this.enableTest = options.allowTestInvoke === undefined ? true : options.allowTestInvoke;
+    this.enableTest = options.allowTestInvoke ?? true;
   }
 
   public bind(method: Method): IntegrationConfig {